Professional Documents
Culture Documents
Confidentiality
known as the CIA triad. First, we need to understand that this three letters all means
almost everyday, and it means that we're going to keep the data,
confidentiality in our work, in the cybersecurity ward, we normally use encryption. On encryption,
control, physical security, things that will allow us to maintain any certain level
Integrity
something that is similar to confidentiality but there are some differences. For example, integrity is just
the principle that all the data, all
the information, all the systems that we are going to use are not modified, are not changed by
any system, by any user, by any person in the transit or in the meantime that we are going
we are going to send an email from our email client to our company's headquarters
the computer of the client and we send on that email the VPN Software
modified in the transit. So, basically integrity deals with the process that each of the pieces of the
information that we are going
our Cybersecurity life? We normally use hashes. That concept, the hash concept
are going to explore in some videos in the future, but in the meantime, the important part
are going to use. For example, and I'm just going to explore a couple
of things here. So, for example, if would go to, internet and let us go
to Google and we can go to, Hash Generator Online. Here, we could for example, go to the second link.
Here is the URL
translate this word, the Security secure password word into these
into your, for example, into your e-mail account, if you go and try to instead
use the secure password, you use these string here, these letters and numbers, you are going to be
rejected by the system. But, in the cybersecurity word, these numbers, these keys, these letters and
the D for S for example, the hash will totally change. So, again if we
changed the S for D, the hash will be the same. So, this is a clear example
of what hash means. It is a procedure where the mathematical algorithm goes and generate the
signature for, in this case for a word but
here is this SHA256 Sum. This is the algorithm, this is the hash that
version of Kali. So, for example, if we download this file and we start download
for example here in HTTP, the file will be downloaded. As soon as the
here, file calculator. In this case, we are going to use this site MD5 File.com
different algorithms. This means that for example, as soon as these download finish, if we upload the file
here into these online calculator
corrupted or the file suffers something in the transit between the Kali servers
of how we could use hashes in the real world, in the cybersecurity word.
Availability
and actually we deal with availability every day, it means that any data should be available always
a lack of availability is, do not have any kind of backups for our data for our systems. So what happens
when a cyber attack for
example occurs and somebody download ransomware in our network and all the
the last backup that we have on our system, and restore everything,
our systems are rates. Rates are like this arrangement. These technologies use something that for
example will allow us to keep or to install
two, three, four, even naturally handle thousands of hard drives in our
servers for our data. So for example, if we have four different drives
in our file server, and OneDrive goes down because a mechanical part broken, well, it doesn't matter,
we have three different drives that has the same information and we could maintain
the only with hard drives, we're dealing with servers. ISP redundancy
connection goes down, well, such important is in these days when we are using
have an ex or a second ISP to have Internet in our company. Obviously backups, we already talked
Non – Repudiation
it applies to the CIA Triad. Another key term that we need to understand is something
called Non-Repudiation. Non-Repudiation is pretty simple. It's actually about the proof
the data receiver is not modify, is not altered. Not even on the transit, but in the origin of the data. So
for example, how could
some technology that will allow us to understand. If somebody send an e-mail, that person is
actually that person, is not an attacker from another country trying to impersonate the person
that sent the e-mail. So that's something that we normally implement with
Kenneth send an e-mail to his boss saying that he quit. So if there is no locks, if there is no
digital signature on the receiver side that says that Kenneth
about in the future, how could we use encryption, how could we use our public key infrastructure to
generate digital signatures, and how could we understand
logs in different systems. But at this moment, it's important to understand this concept, the
Non-Repudiation concept.
Access Management
In this video, you will learn to describe various methods of ensuring effective
say Monday to Friday, those will be the date that the people working on set will be allowed to access
those files. You can also restrict
maybe you want people to be able to read those files. We need to talk about
me to know something and maybe that will be the justification for me to have access to a specific files
with just a single one time login process. There are some
the identity proofs. On most systems they will ask you for an identity and
authentication. To put an example, the username will be your identity proof. That's something that
yourself you need to authenticate that you are actually who you
authentication like CHAP, these are some type of authentication processes that are used to
communicate to systems. They are rely on a [inaudible]. More specifically
in active directory we have something called Security ID and this basically it's a unique ID given
control that allows the users to give access to their own data to
or a sensitive data, I'm responsible for who is allowed to view and edit
today's companies are dealing with. It's actually something really really
networks at all are suffering. So, this means that as soon as somebody or
it will generate an incident. So, how could we take that incident, how could we take that event and
try to understand what happened? How could we prevent any new incident
in the future or how could we restore the service or the data or the computer or
are incident management. Obviously there is a lot of things, and we're going to talk
about those things now. So, basically there is some key components
that changed the normal behavior of the system, could be something that could
be programmed or not is something that change what is the normal process on the
it could be something expected or not. But normally, and the common criteria here is something
that changed the normal behavior or changed the normal process in the company
in the system, in the computer. Now we have the incident. The incident is the negative
if somebody goes logging to the server and update the ACL, that's an event. That event could be
generated or could be something that is suspected
because there is a ticket that says that, hey, the system administrator
access to the VPN user or something that. But what happens if somebody detects
that someone goes to the server, change the ACL, and disable or deny all the access to the servers in
the company from the external network? So nobody from the Internet,
nobody from the external network of the company can access the servers,
the normal service of the, company, could impact the legal part of
the financial part of the company, okay? Now to deal with the incident,
the CCERT, is the team that will, first of all, in some occasions,
where the will process to resolve the incident and resolve the issue
goes to the server, disable and far will pull the site and nobody from the
external network can access the internal network, then our response team will
try to fix that firewall policy and try to restore the access to
the internal network of the company. Now, one important part of the response
they need to collect evidence, they need to maintain the chain of custody
of that process, of that event, of that incident in order to understand why this
incident happened, who formed the action, and what they need to do in the future to
prevent these incidents to happen again. So, that's the quick explanation
allow us to get the current status of all the data, all of the systems,
in our systems, in our network. Also will allow us to understand how could
we control the data retention period and the backups of that data. Not necessarily data, but
it's important if we have this system that deals with the payroll on monthly basis,
that e-discovery process. Then we have automated systems. We have a lot of things right
QRadar, ArcSight. We have user behavior analytics. We have big data analysis. We have honeypots and
honeytokens,
artificial intelligence. We have a lot of things. Why we have a lot of things? Because we have a lot of
assets,
again and again. But what about if we have 1,000 computer, 100 servers,
10 different routers and systems? We need to correlate. We need to centralize all the data
the company was affected by that incident. We have BCP and disaster recovery. BCP means business
continuity plan. And disaster recovery is
not just the incident response team, but guide all the organization
as soon as something happen. What happen when service was affected? That service won't be available
for the external users until the next three,
four hours. How our company will deal with that. How the systems or
how the IT department will deal with that. How the client service department will deal with all the calls
that they are going to receive from different
to recover all the different areas if a disaster occurs. By the term disaster, it doesn't
attack that will destroy all the data in our data center. How could we go and
recover everything from our data center? How could we restore everything? And the process that we
need to implement,
to inform the CEO of the company or inform to the public that we are going
happened in our data center. And obviously, the last term that we
as soon as the service is now up and running, what this incident happened? What is the rootcause of this
incident? Who did the attack, for example? Who implement or who make the changes? Understand
what is
the difference between an error, what is the difference a problem, and what
is the difference between an incident. So the important part here is an error. It's something that happen
on the system
system and you type your bank account. And instead of your bank account,
you type your name and you hit Enter and the system crash because of that. That's probably an error
because
the system handle poorly the input of the user into a key,
they put letters and the system crash? Well, that could be a problem. The system could have a problem
on the input validation side. And it's isolated since then could be
something that, well, it happened once. We still don't know why it happened,
but as soon as the user put numbers or put letters instead of numbers,
nothing happen. So that could be an isolated incident. The thing is we need to understand,
is an error, what is a problem, and what is an isolated incident. And the next part of the post-incident
concept is, well, lessons learned, and the reports that we could generate
in order to learn what happened. How could we prevent those events? And what happen if those
as soon as possible?
incident response processes and the three phases of Prepare, Respond, and Follow Up. How could we
deal with the cybersecurity
good organization that will have a lot of certifications or a lot of information regarding
understand if you have the e-discovery process. In other words, you will need to understand what kind
of
systems you are dealing with. If you have electronical data, do you have that
to worry about? Do you have controls? Do you have administrative, or technical, or physical controls to
protect your assets? Do you have, for example, a business impact analysis
a certain system goes down? How much money you will lose? How much time you will lose or your
operation
a USB key on your desk, and you grab the USB key and
plug it into your computer, and you download a malware into your computer that's probably
a security incident. Well, it's a security incident but not a cybersecurity incident. So the way that you
incident will be different than the way that you are dealing with
another kind of security or another kind of incident in your organization. Then, you will need to start or
trigger the business
need to trigger the business continuity plan if the incident may require that. But the last part is decision
of help taking about, on the past incident or
things that you could do on the follow-up other than it's important to
the internal network and a malware goes through all of your network and infect
a lot of computer. So probably, it's a trend. If somebody again goes and leave USB keys on
grab the same USB key, we'll go and plug the USB key
the investigation phase, and create a case. Create a business case, create a process
incident response plan, cyber incident response process. Something good if you
quick into this link. You go here and open this link. You will get something like this. Actually, it's pretty
simple. You just need to select here. For example, what country
are you dealing with? For example, we could deal with the pharmaceutical industry. Some of things that
you
new things into this factors, the number or the cost of the cybersecurity
clicking on the factors and the related factors friom the link here from
incident will be higher, the cost will be higher. Then, here, we have the
normalized statistics about how, based again on our location, the average time to identify
a cybersecurity breach, data breach, for example. The top three costs for this in factors for mitigating
in our data in our systems and obviously, the employee training process. On the next slide, we have a
couple of links also. If you prefer to understand the cybersecurity incident
process using a mini-map, you could go to those links. Those are actually pretty good but you'll have a
lot
of information here. You'll see a lot of things and probably will be overwhelming
to understand these, but that's actually pretty cool. You will have here
examining the logs, the reports, the architecture. You should have, for example, an information
gathering
Introduction to OWASP
cybersecurity strategy. The last part of the session is frameworks and their purposes. We're going to talk
normative, and compliance. So in the organization, we will have a lot of things, we will have, for
framework depends of your business is I-T-I-L, ITIL. So those are good things, good controls that will
improve, enhance your IT governance, your IT processes, your IT
of your servers. For example, if you go and grab the best practices
Microsoft SQL Server. But that best practice, that framework it's not something that you
will have to have, it's nice to have. You will have a lot
of good practices, you will have a lot of controls, you will have a lot
have it, that's it. That's something that will not necessarily
harm your business. If you don't have guidelines from Microsoft to implement
the servers, if you don't have the guidelines from Cisco to implement
governance in your company, you will loose your business, you will be part of
with your government. In the other corner, we have normative and compliance. The difference here is
you
company in United States. So in your health care company, you could have COBIT, you could have a lot
between baselines, frameworks, and best practices, and normative, and compliance. So as we
mentioned, we have a lot of things, we have, for example, as
to improve the way that our business fills with technology and
mentioned a couple of those. We could mention COBIT, we can mention ITIL, ISOs. Cyber Security we
have the ISOs 27,000
recommendations. As soon as you start working with a programming languages, which you will have a
lot
that you could follow on your software in your systems to avoid any kind of
IT Governance Process
something good to have. Good to understand and well, it's good to have but
will tell you what is the cause of the company. If the company wants
accomplish that strategic goal. The tactic plans are how could we accomplish the strategic part. So those
two plans
you need to have actually, is the policy. How the users will
policy should be in place for let the users know what they cannot do
and what they can do. Now there is a procedure, a procedure is for example what a new user should do
policy and the user will need to accept the policy in order to get internet access. That's something that
we
to your Wi-Fi network, you will receive a captive portal with a lot of information, a lot of data that says
in other words that
are going to send using that Wi-Fi connection will not have any responsible
what is a procedure. The procedure is again, the process that you need to follow in order to
have something, in order to perform something. The policy is simply the rules that you will
need to understand, that you will need to accept to start using your computer, your Internet, your
device. Governance, governance
your organization because all the different parts of your organization will
talk the same language. So for example, if somebody in accounting needs a modification on the payroll
system
because they fund a buck, they know that if they want a modification in
create ticket number, create an incident case. That incident will go to the IPA staff and
the IPA staff will prioritize the incident into the queue to be treated
process from your IPA staff. That's a good example of how your accounting department that probably
doesn't have anything
the same language that your IT department in order to all departments have
operate certain countries. So for example we have SOX. SOX is a financial compliance or financial
organizations and for example, if they transmit the information in a secure way for example. GLBA is
something
related to finance. PCI/DSS, these are related to the manage of credit cards
assessment on regular basis for them to comply with PCI/DSS. So here's just examples
that are important to u/nderstand is the main difference between the process that
any organization could perform in order to identify if they are compliant with
internal departments, by internal audit department and that's something normal with
during audit life-cycle. But the difference here is normally the internal
departments will generate reports but those reports are necessarily to improve the
you want to comply with PCI DSS you will need to hire an external audit company
to generate a report and understand in which of the PCI DSS part you
all that PCI DSS parts, while the external company will let you know on the report
that you are able or you can go now and apply for
cards for example. Now here is a methodology which you could use in
your audit projects for example. Basically these processes could apply for external
simple with three phases. But inside each of the phases, you will have a bunch of steps and again this is
the organization view, you will need to understand the organization that
of system in motive to start looking for any finding, any incident or issue that you may report in
auditing a software, you will need to understand well, this is a web-based software and one of the
threats that
the software could have, is cross-site scripting attack. So it doesn't mean that
the software that you are auditing right now is prone to or have an issue regarding
cross-site scripting. But that's something that in phase number two and
are dealing with a web page or the web software will be prone to a cross-site
scripting attack. On phase number two, you will need to evaluate, you will need to
understand and you will need to debt or probably interview to the creators
this software doesn't have any security review. That will guarantee
that is truthful for example and the last part is the risk assessment.
The risk analysis. That process will translate all your findings in
your audit report, into a risk. This could be on the example that we are talking about
that will let you know that, yes, this software is not
for your organization? Well. If your business depends on that web system
probably it's a high-risk, probably it's a critical risk. So you will need to understand, you will need to
translate
the penetration testing process. The penetration testing phases that in the audit
yet to understand or to review if the system is prone to cross-site scripting. Well, on that pentesting site,
we will go and we will test the cross-site
scripting into the system. We will act like an attacker, like in a hacker, and try to explore the system, try
to perform
the cross-site scripting and understand what happens. Understand if the system is prone to cross-site
scripting. Well, let's simulate,
the cross-site scripting attack into the system, and let's see what happened. Let's see if the system, let
me send a message to a user, and let me, through the user, to go to an external
website and try to hack the user's computer, try to hack the system. So basically,
the penetration testing or the ethical hacking
process this is just methodology used by Mile-2, is a vendor that has a lot of cybersecurity
and the standard process. So you will need to footprinting your target on the same target that we have
the web
will let us know or in the Pentester view, we'll give the Pentester the knowledge to understand
if there is any port open. What is the operative system of the web server application? What is the
language? What is the database that the web application
the internal network and the same WordPress platform prompts to a SQL
for the database. Well, let's generate the attack, let's create the attack
and see what happen. If the attack was successful, we will have to perform
elevate the privilege, we could manipulated the data. We need to cover our tracks. For example, we
don't want for that CSEC to detect
leave a backdoor. Those processes, those steps, we'll understand or will give us an understanding that
the
system is prone to attacks, and not just prone to attack but the system will have
of the system, or will block the attack and will drop all the connections
need to act like an attacker, you will need to act as a hacker and perform
with these kind of test. But on the audit, the important part here is understand that if you
necessarily an audit. So there is a lot of differences, there is a lot of things that you will keep in mind in
order to perform each of both or
OWASP
Top 10 tests, when and why they are used, and where to get help from
with web application, if you are dealing with actually not necessarily
with applications at all, you could use the OWASP Top 10, and it start performing test
to perform a test into your web application. Actually, there is also a lot of information for
of categories here. So for example, let's go to the OWASP Top 10 project here. You will see that the top
10 for 2017, it's now available. So here you will load the report with all the different
for the web applications on the last 2-3 years since 2017. So for example, we have as
SQL injection for example? What are the attackers scenarios? What is that you need to perform in the
system in order to know if your system is prompt or is vulnerable
broken authentication, sensitive data exposure, you have a lot of things to prove. Again, if you go to
the OWASP or something else known as the checklist. It's a document where you
your web applications in order to ensure that your web app is fully secure.